To get to where they are today, technology firms have always made innovation a priority, with little thought given to traditional compliance or governance activities. While this innovation drive has provided them with the leading positions they enjoy today and established them as global economic engines, it also has sparked a “techlash,” with calls for better corporate governance and regulatory oversight. In this podcast, Protiviti managing directors Matt Moore, Risk & Compliance practice; Gordon Tucker, Technology Industry Global Leader; and Jim DeLoach, Global Thought Leadership Program Leader, offer ideas on how tech firms can balance these competing priorities and make compliance risk management and corporate governance core competencies, similar to innovation.
This is the second in our podcast series on the Responsible Technology Firm. You can learn more at www.protiviti.com.
Powerful Insights Podcast: The Responsible Tech Firm – Corporate Governance and Regulatory Compliance [transcript]
Kevin Donahue: Hello, and welcome to a new installment of Powerful Insights and the second podcast in our series, “The Responsible Technology Firm of the Future.” This is Kevin Donahue, a senior director with the Protiviti Marketing group. In this series, we are discussing some of the key issues and considerations for board members and executives in the technology industry to address as they seek to create or advance to become a responsible technology firm of the future, marrying ongoing innovation with strong corporate governance and social responsibility practices.
In today’s episode, our leaders talk about the importance of addressing corporate governance and regulatory compliance as priorities, similar to how technology firms focus on new products and innovations.
Matthew Moore is a managing director with Protiviti and leader of our Risk and Compliance Solutions group. In our recent conversations, Matt commented on the technology industry’s approach to innovation versus its approach to compliance.
Matthew Moore: It’s an industry that, by definition, is all about innovation, and so there are capabilities resident in many of these companies that would complement and support strong regulatory compliance programs. All that said, compliance has not been a priority – it has not been top of mind for the technology industry – and therefore, managing compliance risk, ensuring compliance, is not a core competency that exists today.
Kevin Donahue: Protiviti Managing Director Gordon Tucker leads our global Technology Industry practice. Gordon notes that after a decade of rapid growth, the industry now faces the reality of regulation that carries a new urgency for these organizations.
Gordon Tucker: These companies, if you look back, have been unbelievable growth engines. Back up 10 years, and none of them were in the top 10 in terms of market value or, frankly, many other metrics. You look at the largest companies on Earth right now, and the majority of them in the top 10 are technology companies. In addition, most every other industry is starting to think of itself in some ways as a technology company in how they deliver their services, deliver products, etc. So, I think the overall urgency around this issue is high, and rightly so. I think the industry – again, correctly – is saying about itself, “We probably do need some form of regulation.” The question is, how much? The question is, how will companies embrace that technology? So, this is that swing between not wanting to tamp down on the growth of these organizations and also not letting them run wild.
Kevin Donahue: Next, Matt offers some perspective on corporate governance and regulatory compliance based on many years working with organizations in the financial services industry.
Matthew Moore: One of the clear lessons and real opportunities for the technology industry is approaching compliance from the standpoint of “Compliance is a risk.” It’s a risk to the organization, it’s a risk to enterprise value, but at the same time, it’s a risk to be managed. So, the management of compliance risk is most effectively done when there is a clear, well-established program in place, a framework through which it occurs, and recognition that the prioritization of the relative risk and the impact can drive the investment decisions that are necessary, the mitigation strategies to be executed.
Finally, acknowledging that these compliance requirements are not static, and so they will continue to evolve, new requirements will come on board, and therefore, any compliance program that operates, by design and by necessity, must be dynamic to adapt to that changing environment and those changing requirements. So, where many financial institutions went through and strengthened their compliance programs, that was accomplished by bolting on after the fact to existing activities. Candidly, that wasn’t always the most efficient or effective way to go about that, but due to time constraints, due to scrutiny or pressure, it was done out of necessity.
Where the real opportunity exists for technology firms is, in many respects, they’re starting with a completely clean sheet of paper. They have core competencies in the development and the release of products and services that will allow them to, frankly, leapfrog what are known today as the leading practices around compliance risk management, because they will deliver it through their core capabilities, and not by adapting and adopting something that has worked in another industry but has not been done optimally.
For many firms that have operated in that environment, you make choices: Where do you want to be on the spectrum? At one end of the spectrum, we want to do the bare minimum, we want to stay out of jail, just meet the requirements. At the other end of the spectrum, and maybe a more progressive way to approach it, is, how do we want to deliver our brand into the market, and how do we want that to be perceived? Related to that, if trust is something we inherently value, and we would like our customers and our stakeholders to have trust in us, then we might anticipate not necessarily what we have to do under the regulations, but what’s the right thing to do and what’s the way that we can do that to be able to strengthen the trust they have in us, and therefore strengthen the brand.
So, where many organizations that have taken the more progressive view have gone is looking through that their products and services and trying to anticipate or plan out scenarios to where, “What could some of the negative consequences be? How could our customers or clients be perceived as unfairly treated or not benefiting from what we deliver?” Then, frankly, working that back to ensure that the processes that they operate, the products that they deliver, have controls built in to ensure that the outcomes they desire are delivered consistently, thereby reinforcing their brand promise and strengthening the trust they have.
Kevin Donahue: Jim DeLoach is a managing director with Protiviti and a member of the firm’s Solutions Leadership Team. He also heads Protiviti’s Global Thought Leadership program. Jim explains that from the perspective of the board of directors and executive management, the key question is how to achieve the right balance between governance and innovation.
Jim DeLoach: I mean, it’s a question of balance. So, on the one hand, you’ve got the entrepreneurial activities of the organization that are driving the creation of enterprise value. On the other, you’ve got the risk management and compliance focus on ensuring that we’re preserving that value. So, then, we’re looking at risk and reward in terms of value-creation opportunities. So, I think that what boards and executives in the industry need to focus on is what executives and board members in the financial services and other industries are doing in giving this attention … that the trick is, how do you create a balance so that neither the entrepreneurial forces of the organization that are creating value and the control forces of the organization that are preserving value are not disproportionately strong relative to the other. That’s the question of that balance. It’s a mind-set, and it’s incorporating that in the agenda.
Kevin Donahue: Gordon agrees, noting that governance does not need to be an impediment, but its importance must be driven by leadership.
Gordon Tucker: A lot of it has to come from that tone from the top, right? So, many emerging tech companies are young, are new and are driving heavily toward changing the world with whatever their product or service is, and having the brakes put on that effort a little bit can be disorienting for those companies. It doesn’t have to slow the development of products and services. It doesn’t have to take away from the unique culture of emerging technology companies and established companies as well, but it allows those companies to grow in a way that is more controlled and responsible in its contributions to our society.
Kevin Donahue: For more information, read “Responsible Technology Firm of the Future” series and listen to other podcasts in this series, all of which are available at protiviti.com.
Read more posts on The Protiviti View related to the technology industry.